As a highly regulated industry, Life Sciences companies clearly invest in building strong corporate compliance programs. The increasing complexity of business, technology, and the evolving global regulatory environment require compliance organizations to constantly monitor their effectiveness and influence on the business. Several recent regulatory events have caused many companies to pause and assess their existing programs:
- Foreign Corrupt Practices Act (FCPA) - In 2016, large penalties were levied against several pharmaceutical companies.
- General Data Protection Regulation (GDPR) - the new EU data privacy regulation will be in force in May 2018. The GDPR requires greater oversight on how personal data is being collected, stored, processed and transferred. With the threat of high fines for inadequate controls, involvement by Compliance directly into personal data processes will be required.
- Evaluation of Corporate Compliance Programs - In January, the Department of Justice issued a series of topics that they ‘frequently found relevant in evaluating a corporate compliance program’. While the topics were not presented as guidelines, pharmaceutical companies are comparing their own organization to the standards by which the DOJ may one day be evaluating them.
Here’s a look at each of these compliance programs in more detail:
Foreign Corrupt Practices Act (FCPA)
The Foreign Corrupt Practices Act of 1977 (FCPA) is a United States federal law that addresses requirements for accounting transparency under the Securities Exchange Act of 1934, as well as the bribery of foreign officials, making it illegal for companies and their supervisors to influence foreign officials with any personal payments or rewards.
Life Science relationships with hospitals, clinical trial subjects, researchers, doctors, vendors and distributors around the world, are all subject to scrutiny with regulators and law-enforcement agencies. Technology makes it easier for law-enforcement to detect illegal activity and when they do, it is not just the individual behavior that is scrutinized but also the compliance organization itself. In 2016, both the DOJ and SEC handed down big fines to one organization, specifically citing the company’s failure to implement adequate systems of control and enforcement. Judgements on internal controls substantially increase the penalties beyond the single illegal activity. Compliance programs need to be dynamic and flexible and include Information Governance to address business expansion and M&A that may increase FCPA exposure risk.
General Data Protection Regulation (GDPR)
The GDPR is not just a regulation, it is being considered the new norm in the protection of individuals’ privacy rights. The GDPR is a very prescriptive regulation with a high level of demonstrable accountability attached. To comply, a deep understanding of corporate day-to-day operations and strategic planning will be demanded from Compliance, which is beyond its traditional role of policy development and interaction with regulators. This is particularly true as companies seek to communicate the value of the drugs they produce and leverage Real World Evidence (RWE) to show efficacy of new drugs used by patients outside of clinical trials. The personal data that is collected in these efforts may be very sensitive and must be handled carefully to comply with the GDPR. The new role of Data Protection Officer (DPO), mandated by the GDPR, may be part of the compliance organization, and expands the requirement for Compliance to work closely with business.
DOJ Evaluation of Corporate Compliance Programs
In January of 2017, the Department of Justice issued a detailed view into specific characteristics of a compliance organization that prosecutors should consider in conducting a corporate investigation. The memo provides 11 areas to assess the existence and effectiveness (or remedial efforts) of a corporate compliance program. While the topics are not intended to dictate program design to every compliance organization, some companies are using it as a type of maturity model to self-assess. The topics highlighted by the DOJ include:
Evaluation of Corporate Compliance Programs
- Analysis and Remediation of Underlying Misconduct
- Senior and Middle Management
- Autonomy and Resources
- Policies and Procedures
- Operational Integration
- Risk Assessment
- Training and Communication
- Confidential Reporting and Investigation
- Incentives and Disciplinary Measures
- Contiuous Improvement, Periodic Testing and Review
- Third Party Management
- Mergers and Acquisitions
Compliance continues to be an important line of defense against illegal activities and to mitigate regulatory and litigation risk. Now more than ever, compliance organizations are working proactively to demonstrate corporate responsibility to regulators, law enforcement agencies, customers and the general public by updating the structure and culture of compliance programs and expanding the scope by including programs like GDPR compliance. A current state assessment is a good place to start to begin the evolution toward a more effective compliance program that supports the goals of the organization.
How does your company monitor effectiveness of its compliance programs? Let us know in the comments section below!